A cloud environment without standards behaves like a codebase without conventions.

A short field guide on structuring a cloud environment so it stays manageable, secure, and financially accountable as it grows. Written for the engineering leaders who own it.

Who this is for.

Inheriting a cloud organisation that grew account by account, with no clear pattern across teams or environments.

Standing up a new landing zone and trying to make the structural decisions only once.

Looking at a non-production environment that costs almost as much as production and wanting to understand the shape of it.

Tightening cross-account access without disrupting the pipelines that depend on the current setup.

The patterns this guide responds to.

A few situations engineering leaders tend to recognise across cloud environments. These are the patterns that emerge when conventions are not set early.

  1. Resources become harder to identify over time.

    Naming conventions tend to evolve organically. One team settles on prod-db-01. Another lands on database-production. A third uses something only the original author understood. Ownership becomes less obvious. Lifecycle decisions get deferred. Resources outlive the projects that created them.

  2. The monthly bill arrives as one number.

    Cloud spend looks like a single line item, but it's a combination of many — different teams, products, and departments, all funded from the same budget. Without a way to split it back out, every cost conversation treats it as one expense the engineering org has to defend in full. The question "which product is this spend funding" rarely has a confident answer.

  3. Blast radius is a structural decision.

    One incident in one product becomes an incident across the business. When unrelated applications share an account, they share a security perimeter. A compromised credential, a misconfiguration, or a successful attack against the weakest application gives access to all of them. The blast radius is set by the structure, not by the severity of the original incident.

  4. Account granularity two extremes

    Too few accounts, and unrelated workloads share security perimeters, networks, and billing. Too many, and the overhead compounds — every new account is another set of network rules, access policies, and billing alerts to maintain. The structure ends up shaping how the platform team spends its time, in either direction.

What changes after you read it.

A problem in one environment stops becoming a problem across the business.

Account boundaries are the strongest security perimeter the cloud gives you. The guide covers how to use them as the foundation, not the afterthought.

Cloud spend stops being a black box on the CFO's desk.

When every resource carries a consistent tag and every account follows a predictable shape, the bill becomes readable. The guide covers the tagging and naming standards that make this possible without slowing the engineering team down.

The platform team stops being the bottleneck for every new project.

Predictable account structure and naming means new workloads land in the right place by default. Less coordination overhead. Fewer one-off decisions to make.

What's inside.

Five sections. Each one makes a recommendation, not a list of options.

01

Why standards matter

The case for setting the framework before the first workload lands, not after the thirtieth.

02

Security by default

Environment isolation and least-privilege access as the foundation, not the add-on.

03

Operational maintenance

Account granularity, the Goldilocks Principle, and the naming conventions that keep resources identifiable as the environment grows.

04

Financial optimisation

Tagging and cost allocation patterns that turn the monthly bill into a readable document.

05

Environment segregation

How production and non-production accounts should diverge in shape, not just in name.

The Goldilocks Principle.

Every new level of granularity multiplies the number of accounts the team has to manage. 10 teams across 4 environments lands at 40 accounts before the first workload is deployed.

10 teams × 4 environments = 40 accounts Before the first workload is deployed.
Low granularity

Two or three shared accounts

~2 accounts

Admin overhead stays low. Blast-radius isolation and per-team cost tracking get harder to recover later.

Goldilocks
Balanced

Per department, per environment

~12 accounts

Isolation where it matters. Environment-splitting becomes a deliberate lever rather than a default.

High granularity

Account per workload, per environment

~40+ accounts

Clean isolation and clean cost attribution. Becomes administratively unsustainable for a small-to-mid-sized platform team.

The Koritsu position

There is no single right number of accounts. The right shape depends on the size of the engineering team, the way departments are drawn, the regulatory profile, and the appetite for operational overhead.

The full guide walks through where to hold the line and where to bend it.

Who wrote it.

Koritsu is an engineering-grade FinOps team. We work at the code and architecture layer, not just the purchasing layer. This guide collects the organisational patterns we see hold up across the environments we run engagements in.

Feedback to info@koritsu.ai is read and incorporated.

v1.0 · feedback welcome

Five sections. Roughly a 20-minute read. PDF, no account required.